Hi Guys,
I've configured Signserver 3.6.2 using the default installation guide (https://www.signserver.org/manual/installguide.html), I've created 4 workers: a TimestampSigner and a PDFSigner with their respective Cryptotoken workers, the certs used for this configuration were created on the same machine with openssl (self signed CA). Everything works as expected.
Now the question: Is there a way to "autoactivate" the workers? Everytime the jboss instance is restarted the workers must be manually activated.
Inside the sample configs I found a paramter called KEYSTOREPASSWORD wich says:
"Optional password of the keystore. If specified the token is "auto-activated"." but I don't know if that's the option that I'm looking for (or how to use it), I've assigned a password for the keystore but after restarting the jboss instance the workers started in "OFFLINE MODE", so I don't know if I'm missing something.
Yes, the worker property "KEYSTOREPASSWORD" is the right one to set in your crypto worker for it to start activated. That is if you are using a KeystoreCryptoToken, P12CryptoToken or JKSCryptoToken. You should then set the password in that property in your crypto worker, ie the same place as you have the KEYSTOREPATH. For other crypto token types such as PKCS11CryptoToken (as used with an HSM) the property is instead called "PIN".
Directly after specifying this property in the GUI the worker should switch to be online. If you are using the CLI with the setproperty command you will also have to issue the reload WORKERID command for the change to get loaded.
Do you see any error message in the Status tab (or using getstatus in the CLI)?
I just tested having two crypto workers with autoactivation and a few workers using them and I can restart the application server and they will come up as active. I have only tested with the latest 3.7 though so there is a change something has been fixed in either 3.6.3 or 3.7.0.
Regards,
Markus
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Markus,
I've solved the problem, seems that my p12 file was corrupted (or bad generated).
I upgraded from 3.6.2 to 3.7.0 and the tokens didn't autoactivated, so I just started from 0.
Regenerated all the certs and the keystores and it just worked.
So I took the new certs and keystores and installed on the 3.6.2 version and it worked too.
Seems that I forgot something when I was generating the keystores for the first time.
Thank you for your time and help.
Last edit: Clio Brando 2015-11-10
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
PrimeKey will exhibit as partner together with Utimaco at Cartes, November 17-19, 2015.
Take the opportunity to meet us in Paris @ Cartes Secure Connexions, Paris Nord, Villepinte, Hall 4, Booth 4 J 078.
More information on the conference and exhibition is to be found at www.cartes.com.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Guys,
I've configured Signserver 3.6.2 using the default installation guide (https://www.signserver.org/manual/installguide.html), I've created 4 workers: a TimestampSigner and a PDFSigner with their respective Cryptotoken workers, the certs used for this configuration were created on the same machine with openssl (self signed CA). Everything works as expected.
Now the question: Is there a way to "autoactivate" the workers? Everytime the jboss instance is restarted the workers must be manually activated.
Inside the sample configs I found a paramter called KEYSTOREPASSWORD wich says:
"Optional password of the keystore. If specified the token is "auto-activated"." but I don't know if that's the option that I'm looking for (or how to use it), I've assigned a password for the keystore but after restarting the jboss instance the workers started in "OFFLINE MODE", so I don't know if I'm missing something.
Info:
OS: Centos 6.7
Java: OpenJDK 1.7.0_75
ANT: 1.9.4
Signserver: CE 3.6.2
openssl: 1.0.1e
Jboss: 6.3 EAP
Thanks.
Last edit: Clio Brando 2015-10-20
Hi Clio,
Yes, the worker property "KEYSTOREPASSWORD" is the right one to set in your crypto worker for it to start activated. That is if you are using a KeystoreCryptoToken, P12CryptoToken or JKSCryptoToken. You should then set the password in that property in your crypto worker, ie the same place as you have the KEYSTOREPATH. For other crypto token types such as PKCS11CryptoToken (as used with an HSM) the property is instead called "PIN".
Directly after specifying this property in the GUI the worker should switch to be online. If you are using the CLI with the setproperty command you will also have to issue the reload WORKERID command for the change to get loaded.
Do you see any error message in the Status tab (or using getstatus in the CLI)?
Cheers,
Markus
PrimeKey Solutions
Save time and money with an Enterprise support subscription. Please see www.primekey.se for more information.
https://www.primekey.se/technologies/products-overview/
https://www.primekey.se/service-support/support/
Hi Markus,
I just checked the properties (using the GUI), both tokens are P12CryptoTokens and have the KEYSTOREPASSWORD property set.
The status tab shows no error (I've attached 2 captures from my dev virtual machine).
Maybe I'm missing something extra.
Thank you.
Last edit: Clio Brando 2015-10-30
I think you configuration looks correct.
I just tested having two crypto workers with autoactivation and a few workers using them and I can restart the application server and they will come up as active. I have only tested with the latest 3.7 though so there is a change something has been fixed in either 3.6.3 or 3.7.0.
Regards,
Markus
Thank you Markus,
I'll try with signserver 3.7 then.
I'll keep this post updated.
Thanks.
Hi Markus,
I've solved the problem, seems that my p12 file was corrupted (or bad generated).
I upgraded from 3.6.2 to 3.7.0 and the tokens didn't autoactivated, so I just started from 0.
Regenerated all the certs and the keystores and it just worked.
So I took the new certs and keystores and installed on the 3.6.2 version and it worked too.
Seems that I forgot something when I was generating the keystores for the first time.
Thank you for your time and help.
Last edit: Clio Brando 2015-11-10
Ok, great that you got it working.
Cheers,
Markus
PrimeKey Solutions
PrimeKey will exhibit as partner together with Utimaco at Cartes, November 17-19, 2015.
Take the opportunity to meet us in Paris @ Cartes Secure Connexions, Paris Nord, Villepinte, Hall 4, Booth 4 J 078.
More information on the conference and exhibition is to be found at www.cartes.com.